how to access a server in a VPN from a home computer via a separate notebook with the vpn connection












0















For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.



Obviously, no IT department is helping you with such a problem.










share|improve this question

























  • why don't you ask the IT department for help?

    – jsotola
    Jan 10 at 3:40
















0















For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.



Obviously, no IT department is helping you with such a problem.










share|improve this question

























  • why don't you ask the IT department for help?

    – jsotola
    Jan 10 at 3:40














0












0








0








For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.



Obviously, no IT department is helping you with such a problem.










share|improve this question
















For my local work environment I would like to access all my companies server directly from my workstation elsewhere.
To make this really fun the only access possible is via the VPN on the company managed notebook and the notebook does not allow connections to the local network.



Obviously, no IT department is helping you with such a problem.







linux vpn remote ssh-tunneling






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited yesterday







U.V.

















asked Jan 10 at 0:25









U.V.U.V.

7114




7114













  • why don't you ask the IT department for help?

    – jsotola
    Jan 10 at 3:40



















  • why don't you ask the IT department for help?

    – jsotola
    Jan 10 at 3:40

















why don't you ask the IT department for help?

– jsotola
Jan 10 at 3:40





why don't you ask the IT department for help?

– jsotola
Jan 10 at 3:40










2 Answers
2






active

oldest

votes


















0














If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts






share|improve this answer































    0














    There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.



    So to get from
    Workstation <-> Notebook <-> Company Network
    we need an extra system on N which plays the router to connect the separate networks.



    We need an additional VM on the Notebook with 2 network ports.
    One is connected to the host network via NAT,
    the other connected to the LAN via a bridged connection.



    So we can get a connection as
    W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN



    This can be configured via ssh config.
    An example with some bogus IPs.



    W =   192.0.0.3   <LAN>      VM1 = 192.0.0.2
    VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
    VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
    NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
    N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0


    This is the description of the network hops between the system.

    So to connect to a server in the CN we need to solve 2 separate steps.
    We need to setup ssh configurations for the intermediate hops.
    .ssh/config entries:



    # reaching the VM
    Host VM
    User vmuser
    IdentityFile ~/.ssh/vm_id_rsa
    ForwardX11 yes

    # reaching a host inside the CN
    Host CNhost
    User companyuser
    IdentityFile ~/.ssh/cnhost_id_rsa
    ForwardX11 yes
    ProxyCommand ssh -A vm nc %h %p 2> /dev/null


    Another important issue is the correct routing within the VM.
    The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.



    vm$ ip route
    default via 10.0.0.1 metric 100
    10.0.0.0/24 dev nat1 metric 100
    192.0.0.0/24 dev bridge1 metric 99




    Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
    A classical jumphost configuration.
    For that we need another .ssh/config entry



    # reaching a host on a CN internal network
    Host CNInternalhost
    User cnInternalUser
    IdentityFile ~/.ssh/cninternalhost_id_rsa
    ForwardX11 yes
    ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null




    Now we should be able to simply ssh into the CNInternalhost.

    If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)





    But we also want to access a service on this internalhost directly from our local workstation!



    For this we now create the tunnel using the hops preconfigured in the .ssh/config



    ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost


    Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >



    If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.



    echo 192.0.0.3 ServerX >> /etc/hosts


    This also requires an additonal .ssh/config entry:



    # configuring another host on the CN internal network
    Host serverX
    User cnInternalUser
    IdentityFile ~/.ssh/serverX_id_rsa
    ForwardX11 yes
    ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null


    with this ssh config we can now create a tunnel like this



    ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost


    as long as serverX is accessible from CNhost.

    And we can do a:



    $ wget serverX:<portOnLocalhost>





    share|improve this answer























      Your Answer








      StackExchange.ready(function() {
      var channelOptions = {
      tags: "".split(" "),
      id: "106"
      };
      initTagRenderer("".split(" "), "".split(" "), channelOptions);

      StackExchange.using("externalEditor", function() {
      // Have to fire editor after snippets, if snippets enabled
      if (StackExchange.settings.snippets.snippetsEnabled) {
      StackExchange.using("snippets", function() {
      createEditor();
      });
      }
      else {
      createEditor();
      }
      });

      function createEditor() {
      StackExchange.prepareEditor({
      heartbeatType: 'answer',
      autoActivateHeartbeat: false,
      convertImagesToLinks: false,
      noModals: true,
      showLowRepImageUploadWarning: true,
      reputationToPostImages: null,
      bindNavPrevention: true,
      postfix: "",
      imageUploader: {
      brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
      contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
      allowUrls: true
      },
      onDemand: true,
      discardSelector: ".discard-answer"
      ,immediatelyShowMarkdownHelp:true
      });


      }
      });














      draft saved

      draft discarded


















      StackExchange.ready(
      function () {
      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493582%2fhow-to-access-a-server-in-a-vpn-from-a-home-computer-via-a-separate-notebook-wit%23new-answer', 'question_page');
      }
      );

      Post as a guest















      Required, but never shown

























      2 Answers
      2






      active

      oldest

      votes








      2 Answers
      2






      active

      oldest

      votes









      active

      oldest

      votes






      active

      oldest

      votes









      0














      If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts






      share|improve this answer




























        0














        If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts






        share|improve this answer


























          0












          0








          0







          If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts






          share|improve this answer













          If you can SSH to the company notebook from your home computer then you can use SSH Tunnelling or SSH Jump Hosts







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Jan 10 at 1:55









          Jonathan RouleauJonathan Rouleau

          744




          744

























              0














              There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.



              So to get from
              Workstation <-> Notebook <-> Company Network
              we need an extra system on N which plays the router to connect the separate networks.



              We need an additional VM on the Notebook with 2 network ports.
              One is connected to the host network via NAT,
              the other connected to the LAN via a bridged connection.



              So we can get a connection as
              W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN



              This can be configured via ssh config.
              An example with some bogus IPs.



              W =   192.0.0.3   <LAN>      VM1 = 192.0.0.2
              VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
              VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
              NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
              N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0


              This is the description of the network hops between the system.

              So to connect to a server in the CN we need to solve 2 separate steps.
              We need to setup ssh configurations for the intermediate hops.
              .ssh/config entries:



              # reaching the VM
              Host VM
              User vmuser
              IdentityFile ~/.ssh/vm_id_rsa
              ForwardX11 yes

              # reaching a host inside the CN
              Host CNhost
              User companyuser
              IdentityFile ~/.ssh/cnhost_id_rsa
              ForwardX11 yes
              ProxyCommand ssh -A vm nc %h %p 2> /dev/null


              Another important issue is the correct routing within the VM.
              The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.



              vm$ ip route
              default via 10.0.0.1 metric 100
              10.0.0.0/24 dev nat1 metric 100
              192.0.0.0/24 dev bridge1 metric 99




              Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
              A classical jumphost configuration.
              For that we need another .ssh/config entry



              # reaching a host on a CN internal network
              Host CNInternalhost
              User cnInternalUser
              IdentityFile ~/.ssh/cninternalhost_id_rsa
              ForwardX11 yes
              ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null




              Now we should be able to simply ssh into the CNInternalhost.

              If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)





              But we also want to access a service on this internalhost directly from our local workstation!



              For this we now create the tunnel using the hops preconfigured in the .ssh/config



              ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost


              Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >



              If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.



              echo 192.0.0.3 ServerX >> /etc/hosts


              This also requires an additonal .ssh/config entry:



              # configuring another host on the CN internal network
              Host serverX
              User cnInternalUser
              IdentityFile ~/.ssh/serverX_id_rsa
              ForwardX11 yes
              ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null


              with this ssh config we can now create a tunnel like this



              ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost


              as long as serverX is accessible from CNhost.

              And we can do a:



              $ wget serverX:<portOnLocalhost>





              share|improve this answer




























                0














                There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.



                So to get from
                Workstation <-> Notebook <-> Company Network
                we need an extra system on N which plays the router to connect the separate networks.



                We need an additional VM on the Notebook with 2 network ports.
                One is connected to the host network via NAT,
                the other connected to the LAN via a bridged connection.



                So we can get a connection as
                W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN



                This can be configured via ssh config.
                An example with some bogus IPs.



                W =   192.0.0.3   <LAN>      VM1 = 192.0.0.2
                VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
                VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
                NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
                N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0


                This is the description of the network hops between the system.

                So to connect to a server in the CN we need to solve 2 separate steps.
                We need to setup ssh configurations for the intermediate hops.
                .ssh/config entries:



                # reaching the VM
                Host VM
                User vmuser
                IdentityFile ~/.ssh/vm_id_rsa
                ForwardX11 yes

                # reaching a host inside the CN
                Host CNhost
                User companyuser
                IdentityFile ~/.ssh/cnhost_id_rsa
                ForwardX11 yes
                ProxyCommand ssh -A vm nc %h %p 2> /dev/null


                Another important issue is the correct routing within the VM.
                The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.



                vm$ ip route
                default via 10.0.0.1 metric 100
                10.0.0.0/24 dev nat1 metric 100
                192.0.0.0/24 dev bridge1 metric 99




                Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
                A classical jumphost configuration.
                For that we need another .ssh/config entry



                # reaching a host on a CN internal network
                Host CNInternalhost
                User cnInternalUser
                IdentityFile ~/.ssh/cninternalhost_id_rsa
                ForwardX11 yes
                ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null




                Now we should be able to simply ssh into the CNInternalhost.

                If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)





                But we also want to access a service on this internalhost directly from our local workstation!



                For this we now create the tunnel using the hops preconfigured in the .ssh/config



                ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost


                Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >



                If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.



                echo 192.0.0.3 ServerX >> /etc/hosts


                This also requires an additonal .ssh/config entry:



                # configuring another host on the CN internal network
                Host serverX
                User cnInternalUser
                IdentityFile ~/.ssh/serverX_id_rsa
                ForwardX11 yes
                ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null


                with this ssh config we can now create a tunnel like this



                ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost


                as long as serverX is accessible from CNhost.

                And we can do a:



                $ wget serverX:<portOnLocalhost>





                share|improve this answer


























                  0












                  0








                  0







                  There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.



                  So to get from
                  Workstation <-> Notebook <-> Company Network
                  we need an extra system on N which plays the router to connect the separate networks.



                  We need an additional VM on the Notebook with 2 network ports.
                  One is connected to the host network via NAT,
                  the other connected to the LAN via a bridged connection.



                  So we can get a connection as
                  W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN



                  This can be configured via ssh config.
                  An example with some bogus IPs.



                  W =   192.0.0.3   <LAN>      VM1 = 192.0.0.2
                  VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
                  VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
                  NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
                  N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0


                  This is the description of the network hops between the system.

                  So to connect to a server in the CN we need to solve 2 separate steps.
                  We need to setup ssh configurations for the intermediate hops.
                  .ssh/config entries:



                  # reaching the VM
                  Host VM
                  User vmuser
                  IdentityFile ~/.ssh/vm_id_rsa
                  ForwardX11 yes

                  # reaching a host inside the CN
                  Host CNhost
                  User companyuser
                  IdentityFile ~/.ssh/cnhost_id_rsa
                  ForwardX11 yes
                  ProxyCommand ssh -A vm nc %h %p 2> /dev/null


                  Another important issue is the correct routing within the VM.
                  The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.



                  vm$ ip route
                  default via 10.0.0.1 metric 100
                  10.0.0.0/24 dev nat1 metric 100
                  192.0.0.0/24 dev bridge1 metric 99




                  Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
                  A classical jumphost configuration.
                  For that we need another .ssh/config entry



                  # reaching a host on a CN internal network
                  Host CNInternalhost
                  User cnInternalUser
                  IdentityFile ~/.ssh/cninternalhost_id_rsa
                  ForwardX11 yes
                  ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null




                  Now we should be able to simply ssh into the CNInternalhost.

                  If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)





                  But we also want to access a service on this internalhost directly from our local workstation!



                  For this we now create the tunnel using the hops preconfigured in the .ssh/config



                  ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost


                  Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >



                  If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.



                  echo 192.0.0.3 ServerX >> /etc/hosts


                  This also requires an additonal .ssh/config entry:



                  # configuring another host on the CN internal network
                  Host serverX
                  User cnInternalUser
                  IdentityFile ~/.ssh/serverX_id_rsa
                  ForwardX11 yes
                  ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null


                  with this ssh config we can now create a tunnel like this



                  ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost


                  as long as serverX is accessible from CNhost.

                  And we can do a:



                  $ wget serverX:<portOnLocalhost>





                  share|improve this answer













                  There is a lot of ssh tunnneling documentation, but they dont cover this specific scenario.



                  So to get from
                  Workstation <-> Notebook <-> Company Network
                  we need an extra system on N which plays the router to connect the separate networks.



                  We need an additional VM on the Notebook with 2 network ports.
                  One is connected to the host network via NAT,
                  the other connected to the LAN via a bridged connection.



                  So we can get a connection as
                  W <-> VM1 <-> VM2 <-> N1 <-> N2 <-> CN



                  This can be configured via ssh config.
                  An example with some bogus IPs.



                  W =   192.0.0.3   <LAN>      VM1 = 192.0.0.2
                  VM1 = 192.0.0.2 <route> VM2 = 10.0.0.3
                  VM2 = 10.0.0.3 <NAT> NATRouter = 10.0.0.1
                  NR = 10.0.0.1 <nat2host> N1 = 20.0.0.4
                  N2 = 20.0.0.4 <vpnroute> CN 0.0.0.0/0


                  This is the description of the network hops between the system.

                  So to connect to a server in the CN we need to solve 2 separate steps.
                  We need to setup ssh configurations for the intermediate hops.
                  .ssh/config entries:



                  # reaching the VM
                  Host VM
                  User vmuser
                  IdentityFile ~/.ssh/vm_id_rsa
                  ForwardX11 yes

                  # reaching a host inside the CN
                  Host CNhost
                  User companyuser
                  IdentityFile ~/.ssh/cnhost_id_rsa
                  ForwardX11 yes
                  ProxyCommand ssh -A vm nc %h %p 2> /dev/null


                  Another important issue is the correct routing within the VM.
                  The route to the bridged LAN 192.0.0.0/24 needs to have a lower metric than the default route to the NAT 10.0.0.1.



                  vm$ ip route
                  default via 10.0.0.1 metric 100
                  10.0.0.0/24 dev nat1 metric 100
                  192.0.0.0/24 dev bridge1 metric 99




                  Now the interesting case is when we want to also access a server on an internal network which is accessible only from a server already inside the company network.
                  A classical jumphost configuration.
                  For that we need another .ssh/config entry



                  # reaching a host on a CN internal network
                  Host CNInternalhost
                  User cnInternalUser
                  IdentityFile ~/.ssh/cninternalhost_id_rsa
                  ForwardX11 yes
                  ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null




                  Now we should be able to simply ssh into the CNInternalhost.

                  If not the routeing tables need to be checked. (e.g. missing routes or wrong metrics)





                  But we also want to access a service on this internalhost directly from our local workstation!



                  For this we now create the tunnel using the hops preconfigured in the .ssh/config



                  ssh -L <portOnLocalhost>:CNInternalhost:<portOnCNInternalHost> CNhost


                  Now we can access CNInternalhost: < portOnCNInternalHost > on localhost:< portOnLocalhost >



                  If we want to reuse an additional network name (ServerX) in our local setup, we can add a host alias on our local host for our LAN ip and create an additional tunnel for it.



                  echo 192.0.0.3 ServerX >> /etc/hosts


                  This also requires an additonal .ssh/config entry:



                  # configuring another host on the CN internal network
                  Host serverX
                  User cnInternalUser
                  IdentityFile ~/.ssh/serverX_id_rsa
                  ForwardX11 yes
                  ProxyCommand ssh -A CNhost nc %h %p 2> /dev/null


                  with this ssh config we can now create a tunnel like this



                  ssh -L serverX:<portOnLocalhost>:serverX:<portOnLocalhost> CNhost


                  as long as serverX is accessible from CNhost.

                  And we can do a:



                  $ wget serverX:<portOnLocalhost>






                  share|improve this answer












                  share|improve this answer



                  share|improve this answer










                  answered yesterday









                  U.V.U.V.

                  7114




                  7114






























                      draft saved

                      draft discarded




















































                      Thanks for contributing an answer to Unix & Linux Stack Exchange!


                      • Please be sure to answer the question. Provide details and share your research!

                      But avoid



                      • Asking for help, clarification, or responding to other answers.

                      • Making statements based on opinion; back them up with references or personal experience.


                      To learn more, see our tips on writing great answers.




                      draft saved


                      draft discarded














                      StackExchange.ready(
                      function () {
                      StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f493582%2fhow-to-access-a-server-in-a-vpn-from-a-home-computer-via-a-separate-notebook-wit%23new-answer', 'question_page');
                      }
                      );

                      Post as a guest















                      Required, but never shown





















































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown

































                      Required, but never shown














                      Required, but never shown












                      Required, but never shown







                      Required, but never shown







                      Popular posts from this blog

                      How to make a Squid Proxy server?

                      Is this a new Fibonacci Identity?

                      19世紀